CRON#TRAP Attack: Weaponized Linux VM Targets Windows Machines

A phishing email with a massive (285MB) ZIP attachment named “OneAmerica Survey.zip” tricks users, which contains a hidden folder “data” with the entire QEMU installation disguised as “fontdiag.exe.” 

Clicking the shortcut “OneAmerica Survey.lnk” executes a PowerShell script that re-extracts the archive and runs a batch file “start.bat,” which  displays a fake “server error” and then launches the hidden QEMU emulator, potentially installing a malicious Linux environment. 

Contents of OneAmerica Survey.zip as it would appear to the user

The attacker exploits the explorer.exe process to load a malicious image hosted on a remote server, which, disguised as a simple server error, is designed to be overlooked by the user. 

When clicked, the user’s default browser opens, potentially exposing sensitive information to the attacker. The malicious image is hosted on a public forum, making it easily accessible and difficult to trace. 

Lure image

An attacker launched a QEMU instance with a custom Tiny Core Linux distribution named “PivotBox,” which was configured to run silently in the background. 

They also exploited auto-login to gain access to the Linux environment. Inside this environment, they created custom aliases “get-host-shell” and “get-host-user” to interact with the host machine, which leveraged SSH connections to the host’s loopback interface, utilizing user context information stored within the QEMU instance.

Analyzing the attacker’s preserved shell history (.ash_history) revealed valuable insights into their workflow, suggesting an attempt to establish persistence by creating a self-contained, stealthy toolkit, where commands like “ping google.com” and “wget” indicate initial network connectivity checks. 

 portion of the attacker’s .ash_history file

Additionally, “wget” hints at fetching resources from both IP addresses (likely internal testing infrastructure) and potentially malicious content hosted on GitHub, which suggests a comprehensive effort to acquire necessary tools for the attack.  

The attacker then establishes a foothold on a Tiny Core Linux system by installing tools for file manipulation (file, vim) and remote access (openssh). 

Downloaded payloads (crondx) are validated and potentially disguised before execution, while configuration changes, including automatic crondx execution at boot, are persistent using /opt/bootlocal.sh and filetool.sh. 

Finally, the attacker generates an SSH key pair for passwordless access, enabling future re-entry, and archive tools (7z, unzip) suggest further payloads or configurations might be deployed. 

They began by gathering system information using commands like `uname` and `df` to understand the target architecture and available storage, and then potentially exfiltrated sensitive files via `wget` to a free file-sharing service. 

 File overview of crondx

This methodical approach suggests a multi-stage attack with persistence in mind. The repeated download of `crondx` files from various URLs indicates the attacker may have been modifying and testing their payload until it functioned as intended. 

The crondx binary is a pre-configured Chisel client hardcoded to connect to a C2 server at 18.208.230[.]174. Chisel’s inherent capabilities, coupled with the hardcoded configuration, make it a potent backdoor. 

According to Securonix, the attackers can leverage this covert channel to establish persistent, encrypted communication with the compromised system, facilitating remote command execution and data exfiltration.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here